Re: Linux Firewall Suggestion

From: Mike (honey_at_michaelmoyse.co.uk)
Date: 05/04/05

  • Next message: J.O. Aho: "Re: Network"
    Date: Wed, 04 May 2005 13:00:35 +0100
    
    

    Jack Masters wrote:
    > Mike wrote:
    >
    >> KP wrote:
    >>
    >>> I work for a company that has no firewall. We are 20 person company
    >>> whose connection to the Internet is via Cisco 1610 router - T1.
    >>>
    >>> The router (pseudo firewall - really NAT) maps 3 PUBLIC IP / External
    >>> Address (our mail, web site, and FTP) to 3 of the Internal Servers.
    >>> It does a one to map mapping.
    >>>
    >>> Server 1=Exchange 2003/Outlook Web Access(port 80,443) - (public ip
    >>> 100.100.100.100 to private 192.168.1.10);
    >>> Server 2=Sharepoint Portal 2003/Project Server 2003(port 80 and 443)
    >>> - (public ip 100.100.100.101 to private 192.168.1.11);
    >>> Server 3=FTP Site and MS PPTP VPN (port 21,1721) - (public ip
    >>> 100.100.100.102 to private 192.168.1.12);
    >>>
    >>> My GOALis to get a Linux firewall that is SIMPLE to use to place
    >>> between the internal network and our Internet router. Also, it has
    >>> to be able to route traffic destined on public ip xxx.xxx.xxx.xxx to
    >>> private ip xxx.xxx.xxx.xxx- same as 1 to 1 NAT mapping but more
    >>> locked down due to firewall features. Because multiple servers have
    >>> port 80 and 443, I can't just do port forwarding. It must be
    >>> intelligent enough to see the URL/URI to forward to the right box.
    >>>
    >>> Hope this made sense.
    >>>
    >>> What would you guys suggest in terms in the Linux distro with this
    >>> capability, and how I should set it up?
    >>>
    >>> Thank you!
    >>>
    >>
    >> If you are not sure what you are doing, don't play with your company
    >> network. This is not the place to start learning about Linux
    >> firewalls. Invest your money in a hardware solution such as a
    >> Watchguard Firebox. You will find it easier to implement as it has a
    >> Windows front end and you will get all the benefits of a
    >> Linux/Iptables box as that is what it uses. You will also get first
    >> rate support (They can even configure the box remotely for you) and
    >> upgrades.
    >>
    >> I'm not affiliated to Watchguard in any way. I just use their boxes
    >> and also build Linux firewalls using IPCOP and Smoothwall or just
    >> plain old IPtables.
    >>
    >> Mike
    >
    >
    > Any firewall, even a badly configured one, would be better than leaving
    > the network wide open. Playing with the firewall on a live network may
    > open one up to (physical) abuse from users that see their lunchtime
    > surfing/IM interrupted, but starting off with one of the many example
    > scripts available would be difficult to create a FW that opens the
    > network up further than it already is.
    >
    > J
    >

    Would you learn to wire a house by doing it with the power on?

    Would you learn to service a car by playing with your fathers brand new
    Porche?

    Bottom line, you do not learn by playing with live systems. Only a fool
    would do that.


  • Next message: J.O. Aho: "Re: Network"